* Security aspects of plugins

[Gowermick]

What safeguards are there that plugins aren't susceptible to trojans?

As much as I dislike asking the question, it has come to my attention that there are those worried that plugins could pose a computer security risk, and have the potential to contain trojans. Are they wrapped in any sort of securityy blanket, preventing such an occurence?

Hopefully, Calico is aware of this has put measures in place to prevent this.

Can anyone confirm this?

[tatewise]

Plugins are plain text files, so the risk of trojans or any other malware is negligible if not impossible.

Plus they are scanned by your anti-virus tool just like any other download.

The Plugin text is 'interpreted' by the LUA interpreter built into FH, rather than 'executed'.

I think it impossible for a Plugin author to be able to somehow arrange to 'install' malware.
Anyway it would invoke all the usual UAC warnings.

[Jane]

Plugins which are in the Plugin Store are checked by Calico before they are added to the store.

Unlike web based plugins such as those for say Wordpress, Plugins are not internet facing so are not susceptible to things like SQL insertion.

You can of course always view any plugin source code yourself if you want to see what it does.

[jimlad68]

I would imagine a malicious or just plain badly written plugin could do lots of damage to your project, hence, along with other possible situations, the ever present need to backup, backup, backup.

[Gowermick]

Mike et al,

Whether code is run or interpreted, LUA is a proper language, and like all other languages, interpreted or not, has the power to interact with the PC, and not just with FH.

I'm re-assured that Calico Pie checks all Plugins in the library, but I think users should be made aware that plugins do have the ability to cause problems, and should only run those from known sources.

I wasn't concerned about what they may do to my data, (as jimlad suggested), as I have plenty of backups. I was more concerned about the potential of wreaking havoc on the rest of my PC.

[mjashby]

Every time a user attempts to install a Family Historian Plugin a warning message from the Developer flashes up highlighting the need to ensure the plugin comes from a reputable/trustworthy source and also warning that it is the user's responsibility to verify that source. There is little more that any developer can do if they decide to provide a plugin feature for their software (usually because of user demand) as, by definition, the feature is provided to allow individuals to extend the features/capability of the standard software provided.

It's exactly the same for Microsoft Office, LibreOffice, Google Chrome. Firefox, Media software and many others where plugins/extensions can be commonly found, not only from their 'official sources' but also all over the Web. If anything, given the nature of the software, Calico Pie's 'Plugin Store' provision is likely to be a far more 'controlled' approach than the myriad of sources for plugins and extensions for any of the other software mentioned. Given that the usage/installation of Family Historian and its available plugins is infinitesimal in comparison with usage of those other apps it seems highly unlikely to be a serious target for malicious hackers whose general aim is to get to as many users as possible to spread their havoc as quickly as possible.

Mervyn